Ruby on Rails Rack Cors Middleware Blacklisting

Question

I'm working on a legacy project in Rails 4 where the rack-cors gem is used for allowing CORS. I know that there is an option to whitelist a domain.

use Rack::Cors do
  allow do
    origins 'localhost:3000', '127.0.0.1:3000',
        /\Ahttp:\/\/192\.168\.0\.\d{1,3}(:\d+)?\z/
        # regular expressions can be used here

    resource '/file/list_all/', :headers => 'x-domain-token'
    resource '/file/at/*',
     methods: [:get, :post, :delete, :put, :patch, :options, :head],
     headers: 'x-domain-token',
     expose: ['Some-Custom-Response-Header'],
     max_age: 600
     # headers to expose
  end
end

Is there any option to blacklist a domain so that CORS is disabled for that particular domain. I'm trying to figure out this because I can't really find all the domains that are using the API in the project. I couldn't find anything in the documentation to blacklist a specific domain.

Is there any other way to implement this? Thanks for the help in advance.

Tony Vincent · Accepted Answer · 2020-05-05T09:57:59.277

2

The best way to blacklist unsafe domains is by using the rack-attack gem

# config/initializers/rack_attack.rb

Rack::Attack.blocklist('block spammers') do |req|
  request.referer =~ spammer_regexp # /foo\.com|bar\.com/
end

edited May 05 '20 at 09:57

answered May 05 '20 at 09:52

Tony Vincent

10,120
5
44
60

Ruby on Rails Rack Cors Middleware Blacklisting

1 Answers1